Vidar

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This upgraded version of Arkei stealer has been terrorizing the internet since 2018.

Type
Trojan
Origin
ex-USSR
First seen
1 December, 2018
Last seen
31 March, 2020
Also known as
Arkei
Global rank
21
Week rank
13
Month rank
17
IOCs
865

What is Vidar / Arkei malware?

Vidar is an information stealer Trojan that was first identified in December 2018. It is either a fork of Arkei or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected machines, take screenshots, steal cryptocurrency and more.

General description of Vidar

Vidar is presumed to have originated in a Russian speaking country since the malware is configured to stop execution if it detects that it is being run on a machine that is located in one of the ex-USSR nations or on one that has a Russian keyboard layout.

Being another malware that is available for purchase based on the MaaS ( Malware-as-a-Service ) business model, Vidar can be purchased on its “official” website for a hefty price tag of $700, at least for the PRO version. Though, a stripped-down version of the malware can be obtained for just $250.

Vidar is written in C++ programming language. Purchasing account grants the attacker access to a control panel where the malware can be set up by the cybercriminal to target particular information on the victims’ PC. Similarly to Arkei, Cybercriminals need to take precautions to secure the main payload themselves, using a cryptor or a packer. The control panel displays the current builder version, user settings, malware status, and logs. It should be noted that domain names which Vidar uses to search for C&C servers, where stolen data is being dropped to, change every four days.

Vidar is capable of stealing text files in multiple formats, browser cookies and history, browser records, including data from TOR, as well as autofill value information including banking and credit card details. In addition, the malware can search for cryptocurrency wallet information, take screenshots and record private messages from various software.

What’s more, Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by the malware.

After collecting all targeted information, the malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Vidar malware analysis

A video recorded in ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of Vidar.

arkei execution process graph

Figure 1: A visual process graph generated by ANY.RUN

text report of the arkei malware analysis

Figure 2: The customizable text report provided by ANY.RUN is a perfect tool to share the results of an analysis

Vidar execution process

After the user downloads and runs a malicious file it spawns a child process and starts to collect information from the infected device. Often, after the information was collected the malware kills and deletes itself through a command-line command.

How to avoid infection by Vidar?

When spread via spam email campaigns, Vidar stealer requires the user to download and run a malicious file in order to enter an active state and begin execution. Therefore, following some basic online safety rules can ensure that users will stay safe from this malware.

As such, users should be careful when downloading attachments in emails from unknown senders. The best practice is to avoid downloading such files altogether, therefore not putting oneself in danger at all.

In addition, downloading only licensed software from trustworthy sources and avoiding gaming hacking clients greatly reduced the risk of being infected with malware such as Vidar which uses these attack vectors to infect victims.

The distribution process of Vidar

Like other malware, Vidar / Arkei is distributed through spam email campaigns as a malicious attachment. In addition, cases of Vidar being distributed using shady software and gaming hack clients have also been recorded. Vidar targets users all over the world with the exception of some ex-USSR countries, including Russia.

How to detect Vidar / Arkei using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Arkei trojan using ANY.RUN's "Static Discovering". Open either "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the file.

arkei vidar log file Figure 3: Arkei's log file

Conclusion

Vidar / Arkei is a highly dangerous information stealer trojan, distributed as malware as a service. Thanks to its extensive stealer feature set, Vidar trojan can be used to retrieve a wide variety of information, including steal select cryptocurrency coins from the users. Additionally, Vidar is capable of stealing data from TOR.

Thankfully, malware hunting services like ANY.RUN allows researchers to conduct extensive studies of malware samples in a secure environment, allowing them to spread information about the danger and develop effective countermeasures.

IOCs

IP addresses
92.119.113.254
208.95.112.1
208.95.112.1
5.79.66.145
88.99.66.31
5.101.153.46
5.101.153.46
18.205.93.0
185.38.151.11
107.189.10.240
18.205.93.2
188.241.39.10
18.205.93.1
185.212.130.11
169.239.129.118
5.23.50.127
31.31.198.66
95.181.178.156
77.222.62.31
77.222.62.31
Hashes
4229a147cec8c2ed7c31e0a069086d0394a11f8f2c58c33a8bad3f782161a028
e61d5fe104e03b54431dc762cfe9d2d7a2ca71be0b1248956fb45250d3940382
bed9ee511fbc5a94243f5b5c98d197ef0f38b5c1aca6b4086d4bf427f086bdde
87390b41bcab39a3a567458d058ec24e94edb826762c73cdf13fd46cd66472d8
c9292d0a7d6f0856be9fbab3a2b8409ec542b2ea2ecaf9bb2f582cecc116c54b
4ad101bb18b092eddc23ded341c68e468ff2226c97b2ca08cf9ab8e9bfe39be5
0efb894255cae96dd311caaa7754ca955aff3872c54f0c827e20e18751d018de
550bffebac80f97d6a27e641ee08a2c52b4930a625a7dc72921ede27f64b271f
6bc11de07bacb8149669d96053d128a85640aff49a3c6c2c96975759944e1959
aa07a2673981c0dcd8519c27662301662a901b4be8de385ffb9874bf5fb3a9fd
fab553b5f7d2e4a2c90d4f2fe23dbd6b4503a115f233f71f760852bfc2cecc6d
94348a0b52a05368655de11c0efa24ebfaf61841da18a79a3c9a174f655854ae
e2b7cd87d3531959c4b895f58f4fdce47e147314223daf341bf3dfad06cde9ca
85dc928cba39c46588e5862e98b6152cf05813fd0a4e2affcd36c2f84b5c026d
762dace4de5418d4dde7b38f7bb26032d49558c1dc2943012ea957f130b0da68
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
2dfe9f3f4f44325e2bd4ea914b9e6262d9d88138b1f056ff2ccc8be7dfe16653
af3444d683594b1f03d3838bdb0ae5f43e1f0c56d9c41a793c3a56e37b0c521d
cb3dba2dc82b83c12ce425a467d9a86e92502fd682006fd4e67aed23e98a8cd3
552da3ba0d558a81195f5a3ef585c132c36149b746716437b198fafbe15b1c72
Domains
majul.com
elx01.knas.systems
demo.ip-api.com
www.ip-api.com
predatorqwex.kl.com.ua
sadhate.zzz.com.ua
highway9.zzz.com.ua
5555.kl.com.ua
mail.nakaroko.kl.com.ua
luajit.ru
compuasmer.zzz.com.ua
adr.com.ua
k.adr.com.ua
gtr.zzz.com.ua
bonus2020.zzz.com.ua
domaindemo02.zzz.com.ua
goldrptop.kl.com.ua
westerpac.zzz.com.ua
thekorol.zzz.com.ua
simplesite.kl.com.ua

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More